CVE-2026-12862 | Untrusted user data was passed verbatim to Excel exports for… | CVSS 5.1 MEDIUM

Description

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.

Metadata

CVE ID: CVE-2026-12862
State: PUBLISHED
Assigner: rami.io
Reserved: 2026-06-22 08:16 UTC
Published: 2026-06-22 08:26 UTC
Last updated: 2026-06-22 12:23 UTC
Primary CWE: CWE-148
CWE-148 Improper neutralization of input leaders
Vendor / Product: pretix / Venueless
Sources: cve.org · NVD

Severity & Metrics

5.1 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
pretix	Venueless	—	0.0.0 < 0a35457f

Weakness (CWE)

CWE	Source	Description
CWE-148	cna	CWE-148 Improper neutralization of input leaders

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

References (1)

https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86